Setting up ALM

Using the ALM feature requires that (1) profile mastering is enabled, (2) you have chosen a profile master from the list under Profile master priority on the Profile Editor page, and (3) any desired mappings are specified through UD mapping.

The first step in setting up ALM is to enable profile mastering. Use of ALM assumes that more than one profile master is set on the Profile Masters page. In order for these profile-mastered apps to appear on the Profile Editor under Profile master priority, as shown below, profile mastering must be enabled for those apps.

Enable Profile Mastering for Active Directory

From the Administrative Dashboard, go to the Directory drop-down menu.

From the drop-down menu, choose Directory integrations.

Click the Active Directory instance.

Choose the Settings tab.

Scroll down to Provisioning Features > Profile Master.

Check the Enable button.

Enable Profile Mastering for Other Profile Mastering Apps

From the Administrative Dashboard, go to the Applications drop-down menu.

Establish Profile Masters by attribute

The second step of setting up ALM is to establish mastery by attribute. if your profile master(s) has been successfully enabled, they appear as a list under User > Profilemaster priority. When you scroll down to Attributes > Master priority (in the right-side column), the default state is Inherit from profile master, which retains the profile master set for the entire profile. To change the priority, you have the following options:

Inherit from profile master: Picks up the default profile master for the entire profile, as shown in the Profile master priority field.

Inherit from Okta: Picks up this particular attribute value from Okta. This attribute value can be edited in three ways: via the user's Profile tab, the Okta API or, if appropriate for end-user modification, by the end user.

From the Profile Editor page, select the source you wish to edit, then click Profile in the Actions column.

From the left-side column (Base or Custom), choose an attribute. An example might be Last name. Click the Information icon in the right-hand column.

From the Master priority drop-down list, you can choose to either Inherit from profile master, Inherit from Okta, or Override profile master.

Note: The Override profile master option allows you to delete a master here if you don't want it available to a particular attribute –this does not generally disable the app as a master. Do this by clicking the X beside the app name.

See below for an example scenario of how this might work with Workday and Active Directory as two profile masters.

Example Profile Master Set

Profile master: Default master for the entire profile.

Workday, Active Directory

Attribute master: Alternative master for a particular attribute.

3rd attribute: mobile phone = Active Directory

All other attributes: Workday

Example Attributes

First name

Workday

Last name

Workday

Mobile phone

Active Directory

Work phone

Workday

Mapping the Attribute on the Profile Mappings Page

The third, optional step of setting up ALM is to map the attribute through UD. If no mapping are set up, the attribute has a null value.

After you have chosen an attribute to change and set the Master priority to Override profile master, for example, the attribute must be mapped. To map the attribute, do the following:

From the Profile Editor page, click the Profile Mappings tab.

Choose the app instance of the profile master you wish to map.

Click the Edit Mappings button.

From the list of attributes on the left, find the attribute (such as Last name) you have chosen to change. Note: ALM only maps from a profile mastered app to Okta –it is not bidirectional.

Click the Save Mappings button to save your choices.

If you have selected an attribute that has no mapping from the primary profile master, the attribute has a null value. A value is not pulled from any other master apps in the priority list.

Allowing End-User Edit Permissions

There are some attributes that can be mastered inside Okta, then managed by an Okta admin or their end users. Although end-users cannot change their most primary attributes (such as first name, last name, or primary email), you may want to allow them to add or change attributes like personal email address or preferred display name. These attributes would appear as editable fields on their Settings > Account page.

To allow end-user editing of certain attributes, do the following:

From the Directory drop-down menu, choose Profile Editor.

From the Profile Editor page, on the left-side panel under Filters, select a profile type to narrow the list of apps.

Find the app source you wish to edit, then click the Profile button under the Actions column on the right-side column.

Under Attributes, from the left-side column (Base or Custom), choose an attribute, then click the Information icon in the right-hand column.

From the User permission drop-down menu you can choose one of the following options:

Hide: Hides the attribute field from the end-user list.

Read Only: Does not allow the field to be edited.

Read-Write: Allows the end-user to change or add information to the attribute field.